Pages

Thursday, September 19, 2013

Enabling TLS for Exchange Server 2010

I’ve recently been asked to troubleshoot why TLS wasn’t working for an Exchange 2010 server even though the obvious settings have been configured. What I’ve found was that most administrators tend to perform only 1 of 2 steps and therefore left wondering why TLS isn’t offered by the Exchange server so this post serves to outline the steps so that I can direct anyone who runs into this issue to this blog post.

How do you know whether your Exchange server is performing opportunistic TLS?

The easiest way to determine whether the Exchange server is performing opportunistic TLS is to simply telnet to the hub transport server via port 25:

telnet localhost 25

**Note that I’m logged directly on the Exchange server in the screenshot above so please substitute localhost with either the external MX record or the name / IP of the hub transport server if you’re coming from the internal network.

Execute the command:

ehlo

… and look for 250-STARTTLS in the output:

Notice how the screenshot above does not contain the 250-STARTTLS output which means this Exchange server is not going to accept TLS connections.

… are actually the same as one of them is configured through the Exchange Management Console and the other is through PowerShell.

Option #1 - Exchange Management Console:

To enable the setting in the EMC, navigate to Microsoft Exchange On-Premises –> Server Configuration –> Hub Transport and select the appropriate receive connector that receives email from the internet:

Open up the properties of the receive connector and navigate to the Authentication tab, then check off Enable Domain Security (Mutual Auth TLS):

Option #2 - PowerShell:

The second way of enabling the setting is to launch PowerShell then use the Set-ReceiveConnector cmdlet. You can also check to see if the setting is enabled by using the:

Note how the screenshot above now displays the DomainSecureEnabled property as being True.

If you open up the properties of the receive connector, you’ll see that the Enable Domain Security (Mutual Auth TLS) setting is checked off:

Step #2 – Assign a certificate to the SMTP service:

I find most administrators tend to miss step 2 which is to assign a certificate to the SMTP service so ensure that you have a certificate with the CN or an entry in the SAN that matches the MX to A record name, then use the:

I have followed these excellent steps as far as I can, but I am still not getting the 250-STARTTLS message. One of the problems is, I think, that we are sending/receiving via a smarthost (MessageLabs) and I can't set the DNS routing part on the Send Connector, and get TLS to work. Any suggestions?

Just an FYI, by default, Cisco PIX/ASA/Firewall devices do ESMTP inspection and specifically block the STARTTLS command on smtp sessions. This is most often the cause of TLS failing to function properly. Exchange Receive Connectors on Port 25 since 2007 support TLS by default, so additional configuration should not be necessary on Exchange to get the StartTLS command visible. The only thing that needs to be there on the connector for STARTTLS is the checkmark next to TLS on the Authentication tab.

If your Cisco device is blocking STARTTLS, you'll see XXXXXXXXXA or XXXXXXXXB in the list of advertised commands when connecting to the SMTP server.